Posted
by
samzenpus
on Wednesday June 15, 2011 @01:55PM
from the one-bad-app-spoiling-the-barrel dept.

Trailrunner7 writes "For the third time in the last few months, Google has had to remove a slew of malware-infected apps from the Android Market and suspend some publishers. Ten Android apps in the Official Android Market are known to be infected, but many more could be victims of the Plankton Trojan. Researcher Xuxian Jiang claims that early variants of the Trojan have evaded detection for as long as two months."

Actually, I'm very torn whether to replace my original Droid with a Droid 3 or an Iphone 5 when the two do mortal battle later this year... The Iphone 4s I've used are pretty snazzy, and my wife's ipad is sweet, but dammit I LIKE android.

All that does is create an even bigger divide people the people that do it and the people that don't. And people that download half of the malware (the junk apps versus at least legitimate looking apps) are probably too stupid to recognize it anyway, thus negating the purpose unless it's done across the board.

I agree that it is better than nothing, but creating a market where the big fish will probably get rubber stamped anyway, I feel uncomfortable with the idea of suggesting a system where the little fish

The malware scare is going to knock the little guy off equal footing anyway. Right now the malware apps are obvious, because it's cheap and easy to create crap that morons will download. But eventually, as people get a bit smarter, the malware apps will start to look more and more like normal, decent apps. At this point, when you can't easily tell a malicious app from a non-malicious app , some users will stop downloading from little guys all together, and only trust downloads from brands they recognize.

Google has historically taken a hands-off approach to policing the Android Marketplace. It will suspend and remove suspicious or malicious applications when they're reported, but does not vet applications prior to posting them, as Apple does with its AppStore.

Ah, that's what the story is really about. I'm surprised it took them so many paragraphs to get to their real agenda.

localman57 has the solution. And who's to say that Google has to be the one doing the code reviewing? Why couldn't a group of Androi

It doesn't have to be Google. But there really needs to be a single reviewer source. Think "Underwriters Laboratories" for software. Otherwise, the malware writers just setup their own review boards, and stamp it quality. As Tommy Boy once said:

I can take a shit in a box, and mark it guaranteed, but then all you'll have is a guaranteed box of shit.

You (and your friends) can't be allowed to stamp your box.

Google would be the obvious choice, though, since they have the biggest investment to lose if this all goes to hell.

And the reviewing panel would probably do a great job for 2 months or so... and then they push back against crap code (because it would be harder to detect trojans in it if you can't tell what the heck it is doing) and then the developers would push back because the panel isn't supposed to comment on their code, just certify it as trojan free. Then they would either stop being a clearing house or would approve an app with a trojan in it, and by this time everyone would have just purchased an iPhone.

Why couldn't a group of Android developers get together and set up a reviewing panel that will certify apps as threat-free? Before I download an app, I can see if the reviewing panel lists it or not and have that one extra data point with which to make my decision. If the panel's work is done in a transparent manner, people would trust it and they would have a measure of safety without having to be walled inside.

The only people that would protect are the people who don't need protection.

Sure, but that's what transparency is for. And there will be a lot of eyes on them.

It will become clear pretty quickly if the "guardians" can be trusted.

The only reliable guardians so far seems to be Apple. You're right that there needs to be some sort of QA panel for Android, but the only reason there's a call for one is Google's inability to do the job themselves. It's their store, after all.

You can bitch all you want about a "walled garden", but at least it serves the consumer.

I agree. I know most slashdotters are relatively savvy users and aren't going to install the ZOMGFREEMONEY$$ app, the expanding user base guarantees that malware will get more sophisticated over time.

Sure, we could only install applications developed by a corporation we already deal with and should have an interest in keeping us happy and keeping our business by not installing malware on our devices (Sony jokes aside), but doesn't this suppress the audience for "little guy" developers? Isn't that contrary t

Sure, we could only install applications developed by a corporation we already deal with and should have an interest in keeping us happy and keeping our business by not installing malware on our devices (Sony jokes aside), but doesn't this suppress the audience for "little guy" developers? Isn't that contrary to the spirit of FOSSetc?

Google's Marketplace has nothing to do with FOSS. So long as they don't try to lock users out of their own devices (by barring sideloading) then it's a non-issue.

I know that on/. you always have to couch every post with a defense for every possible pedantic reply, but in this case, I thought "FOSSetc" would encapsulate the spirit of the vaguely "open" android platform and the spirit of the enterprise as a whole.

Sooner or later Google will need to do some sort of Quality Control on their store, or they'll just keep making the Marketplace look even less trustworthy and push people to the Amazon store.

Alternatively those of us who do not mind researching apps using the internet before we install them will carry on buying Android phones. I treat my phone like my home PC, I install stuff I trust after some basic research. Since Apple are not infallible I am more willing to trust my own judgement than theirs. If I screw up, I know to blame and can learn from my mistakes, if Apple screw up I just have to trust them learning their lesson on blind faith.

Alternatively those of us who do not mind researching apps using the internet before we install them will carry on buying Android phones.

We need the unsophisticated users to buy the Android phones, or there won't be any. The economy of scale has to be there. If Android phones alienate the average user, then they'll end up like the N900: kick ass, but expensive and a relative hassle to get.

We need the unsophisticated users to buy the Android phones, or there won't be any. The economy of scale has to be there. If Android phones alienate the average user, then they'll end up like the N900: kick ass, but expensive and a relative hassle to get.

There will always be Android phones.

However, the problem is if the perception of the Marketplace is that it's full of malware ready to steal your phone's data and cost you a fortune in long-distance and premium phone number calls, then people may shy away from downloading any app from it. (or alternative app stores for that matter, since you can't trust that they aren't sending you malware either).

Which means to most users, Android is the phone and what it comes with - the Marketplace will simply be a "never touch" zone. Which means Android devs have a harder time.

Heck, carriers may see this and demand that Amazon be the primary marketplace allowed on the phone as a safety measure. And if that's the case, Android devs may have to submit to Amazon's even more restrictive terms.

Google announced today that to avoid lawsuits from apple over the app store name and to better describe the products offered, they are changing the name to the "malware market". They were immediately sued by Microsoft who claim to have copyrighted malware infected operating systems.

They have better things to do. The international nature of this sort of stuff makes investigations, as well as civil and criminal court actions exceptionally difficult. Google is a technology company. They're better suited to come up with a technological solution. Most of the big wins against Spam and the like come from counter-attacking the bot-nets, not from going after the people.

...but there's something to be said for iOS being a "closed" platform with a (mostly) strict approval process. There's a lot of controversy about apps getting blocked from the iTunes App Store, but so far there haven't been any significant outbreaks of malware/trojans like the Android platform has had.
Caveat: I actively develop for both platforms, so I have no "stake" in either side. Just making a point about the open vs. closed issue in related to PII leakage risks.
Let the flaming begin!

I think you misunderstand GP's point. Apple is actively hostile against jailbreaking (bricked device, anyone?). What GP wants is the ability to choose, and be left alone if he does jailbreak his iOS device.
Shelter in the safety of Apple's curated store, or brave the Wild West without interference from King Jobs. Android does the latter (bootloader lockdowns by individual manufacturers notwithstanding), but not the former. Amazon is starting to supply the former for Android. GP is saying that Apple should

Is Apple actively hunting down jailbroken devices and hacking in to them to brick them or are people who have jailbroken their device updating the device without finding out if the update shouldn't be used with their jailbreak of choice?

Remember that the first updates after the first jailbreaks would brick peoples' iPhones. Now, that's arguably a consequence of poorly-made jailbreaks, and I'll concede that, but some people did end up with shiny paperweights, and Apple (rightfully, according to their EULA) did not do much to help them. They also try and lock down any avenues that jailbreaks use to prevent simple re-jailbreaking after an update. Perhaps "actively hostile" was not the best term, but the point is, Apple certainly could facilit

Remember that the first updates after the first jailbreaks would brick peoples' iPhones. Now, that's arguably a consequence of poorly-made jailbreaks, and I'll concede that, but some people did end up with shiny paperweights, and Apple (rightfully, according to their EULA) did not do much to help them.

Wow, yeah, that sounds so awful of them!

And the update you are talking about 'bricked' iPhones that had been unlocked, not jailbroken. The unlocks overwrote the baseband. This is not something to be undertaken lightly. A later iPhone OS update included a baseband update that fixed the so-called 'bricked' phones.

I stand corrected (by both you and SuperKendall, who might've had problems reading the rest of my post). However, leaving aside bricked phones for whatever reason, I stand by the rest of my point. I believe users should be given the choice between the two (and hide the 'jailbroken Wild West' option where only power users are going to find it if need be) instead of this cat-and-mouse game with every update.

WIth the VERY FIRST iPhone, a few iPhones had issues with unlock hacks (which is not the same as jail breaking) interacting poorly with firmware updates, because they had re-written parts of the firmware...

What GP wants is the ability to choose, and be left alone if he does jailbreak his iOS device.

Okay, so you responded to me twice correcting my statement regarding bricking. That's about the only logical thing you said. I'm going to give you the benefit of the doubt and assume you didn't follow my thread of logic instead of assuming you just didn't even read my post properly or that you're some kind of idiot.

What GP wants is the ability to choose, and be left alone if he does jailbreak his iOS device.

brave the Wild West without interference from King Jobs

Unlike you 90% of the populace does not wish to be gunned down in the streets, which is the world you would have them live in against their will - because you are against the CHOICE by users to live in that walled area if they they find it safer and more pleasant.

Uhh... no, my entire point is that users should be given the choice of EITHER an Apple-like walled garden OR the life of a jailbreaker... but that Apple (or Manufacturer X, in a broader sense) sh

Does Jailbreaking void your warranty? Oh? darn. I guess you're argument is just fallacious. If I HAVE to void my warranty in order to use alternative applications on my phone then the market concept is NOT OPEN no matter how much of a bow you wrap around it. Time to take the fanboy cool aid and sit it out for a round.

The one were complaining about Apple's "walled garden", while simultaneously avoiding saying anything that might make it sound like a good thing for the customer, is worth +5 Insightful, regardless of linguistic gymnastics or factual inconsistencies involved.

Apple's model for iOS has worked out fantastically. iOS outnumbers Android close to 2 to 1. Yet somehow, according to slashdot nerds, this model doesn't work well for consumers, and they are clamoring for alternative app stores.

2. If IOS devices made it easy to use another store, then non-technical users would be at more risk. They would get an email that said, "Hey try out this fun app" which would take them to the non-curated store, they would blindly click-through all warnings from the OS and voila, you've got a mobile experience every bit as toxic and unusable as the Windows PC experience--and you've just destroyed Apple's value proposition and their $100B market cap.

What it really boils down to is that most of Apple's critics (a) don't care at all about non-technical users and (b) really want Apple to fail anyway so are happy to argue for Apple to adopt flexibility that would lead to financial disaster for them. Apple fundamentally disagrees on both points so you aren't going to sway them.

Let's just agree to call it totally unvetted functionality that apple didn't have a clue about?

And let's also be honest about the fact that it wasn't malware, quite unlike what is being discussed here on the Android Market.

Trojans are a type of malware. The flashlight tethering app wasn't malware. If you want to call it a trojan because it had hidden, but non-malicious functionality, feel free. But don't act like that's what people are talking about when they say 'malware' or 'trojan'.

Your comment is indicative of the kind of arrogance that makes people hate so many technically proficient people. Do you even realize how arrogant you are to call people "morons" because they don't happen to have the kind of technical understanding and knowledge that we have? I'm sorry, but it's YOUR ARROGANCE that marks you as the real moron.
People have different skills and knowledge. Yours (and mine) happens to be in a technical field, among others, presumably. But you have areas where you don't know anything, too. Everybody does. Just because people don't value YOUR subject area above all others doesn't mean they're morons who are "dumb users." Just as a person who doesn't want to be an auto mechanic isn't a moron when he simply wants his car to work without him futzing with it.
You really need to climb down from the high horse and realize that people aren't necessarily morons just because they don't know everything about IT that we know.

I think you're jumping way too high in calling your OP Arrogant or anything.
I am sorry, but the last batch of apps that were removed from the Market contained applications with names such as "Screaming Japanese Girls". If you install those kind of apps on your phone, no one else than yourself can be blamed if you get a malware with it. And in all honesty, the category of people who would download those could fit in the "moron" category - nothing to do with being tech-savvy or not.
The aformentioned tech-sa

To tack onto your car analogy, people who know a lot about cars often mod them to their desires. People who don't know a lot about cars don't normally tweak their shocks, install aftermarket sensors, NOS, or any of the other crazy shit people do nowadays. Or if they do, they hire somebody to do it for them. The day I install a NOS into my jeep is likely the day before my fiery death and I thankfully know this. People need to realize that installing random shit onto their phones

I understand that today's society encourages us to tell everyone that they're special and smart and wonderful, even when they're not. I don't subscribe to that theory, however, and object to being labeled as arrogant because of it.

You're right. There are plenty of areas that I know next to nothing about. I am, however, smart enough to know that I don't know much about those areas, and so I ask questions if it's an area I plan to get into.

Your post is like suggesting that someone who doesn't know how to swim

Thousands of engineers labored for years to build the hardware and low-level software so that you can prance about writing your Ruby code or whatever the fuck you do that makes you think that you are some sort of tech genius. Those engineers put a lot of effort into making sure that you didn't have to be a semiconductor physics expert in order to use computers and that you weren't going to accidentally set the thing on fire with the wrong set of keystrokes. Compared to those engineers and relative to their

You have. . Utterly missed my point. I have no problem with layers of abstraction. (and btw the last time I coded anything was about 15 years ago, and it was in assembly, was a dismal failure, and I can't remember anything about that or any sort of programming beyond old Logo commands. Not my field). I have a problem with people using their particular abstraction and then pointing at people using a different abstraction that they obviously don't understand and howling about how dangerous it is. Android is n

I understand your point (and the other replies at this level). I would say, it is becoming harder and harder to justifiably recommend an Android phone to a non-technical user. I would say, "try Android, it is a better choice than an iPhone, as you avoid the walled garden." However, based on many of the comments I've read on/. lately, I'm not sure this is a good thing:

-if they buy most Android phones, they find themselves locked into an even worse experience because of the crapware and lock-in that mo

I'm with you. I don't recommend Android to strangers. If you come up to me asking which smart phone you should buy, that's a good sign you don't know much about smart phones and so you should probably get an iPhone, because if you were tech-savvy you'd already know what you wanted. If it's someone I know, I'll only recommend Android if they're reasonably competent with tech toys. I don't even mean "able to root a phone successfully." I just mean "able to read "this app wants to read your contacts" and deter

I understand that today's society encourages us to tell everyone that they're special and smart and wonderful, even when they're not. I don't subscribe to that theory, however, and object to being labeled as arrogant because of it.

Yes, clearly you've been told you are "special, smart and wonderful" a few too many times growing up. Your head is the size of a planet.

Not being a tech nerd does not relegate one to being a moron. You *are* being arrogant. You can't see the difference between being ignorant and being a moron. You can't seem to grasp that not everyone is going to have the same interests and motivations as you. For every person you are calling a "moron" simply for being as interested in tech details as you, there's something

I'm growing tired of responding to the same points over and over, but I'll point out something that you're not getting:

"ignorant" has two components: Willful, and natural. I don't fault people for natural ignorance. I do fault them for willful ignorance, in which they decide to get involved with something, be it smart phones, computers, cars, or politics, with out bothering to find out anything about it, and then complain because they (intentionally) didn't know how it worked, and screwed it up.

Depends. If I pick up a jar labeled "biohazard" and open it without finding out what the stuff inside might do to me, or finding out how to properly handle jars with such labels, then yes, yes I am.

Sorry, I must have missed the part of this story where malware is marked as "Warning: Malware".

There's no fallacy here. People complain when their phone gets jacked. People use their phone. People don't bother learning the basics about using their phone so it doesn't get jacked. That's dumb.

Yeah, it's *really* dumb of people to not know how to tell what's a trojan or not! I mean, it's really simple, you just sorta "know" when something looks suspicious, and with a little digging, bam! you now know if it's a trojan or not. I mean, *anyone* can do this, right? All you have to do is keep up on current malware trends, and have used enough software to tell the difference of what seems legit or not, includ

I mean, it's really simple, you just sorta "know" when something looks suspicious

Well, yes, it is, and you don't have to keep up on malware trends to do it. If you find a calculator that wants to read your contacts, and use the internet, and access your GPS location, and send email, it's pretty damned obvious that a calculator would not need to do these things and therefore there's something suspicious about it. No, you don't know for certain that it's a trojan, but you damn well know that it's suspicious a

Elitism certainly is a black mark upon technical fields, you're right. But I'm not entirely sure I disagree with shadowfaxcrx. Here's the rub: if you want to use *ANY* product, there is a minimum skill set required to use it. Ever see toys with the label "Warning: not for use by children under three (or five, or seventeen) years of age!" or household appliances that say "Adult supervision required"? Or, to drive a car, you must first prove to the DMV that you have the necessary skil

Okay, when was the last time you saw a computer with a warning sticker? Or a requirement to show a license and insurance? Heck, does it say on the Google Apps Mart (or whatever) that the apps may be dangerous?

If we're going to market computers and smartphones as if they were completely safe, people will use them as if they were completely safe. There's too many complicated things out there for everybody to keep track of all dangers themselves. I know something about the dangers of software, but there

Are you one of those people who thinks we should have a warning label on anything that could possibly be hazardous? I mean, squirt guns don't have a label telling you not to take the trigger off and jam it in your eye. Are you saying that someone who does that is not stupid?

element-o-p got what I was saying precisely. If you use anything, at all; Smart phone, skateboard, saw, glue, anything, you should familiarize yourself with it just on a basic level. As element said, you don't need to go out and get an

The closed iPhone store is a great advantage to have when you sell phones to morons.

No flames there.

(and to be fair, as the latest Mercedes commercials featuring drivers crediting the car for bailing them out from being idiot drivers demonstrates, it's not just in electronics).

You're right, we'd all be better off if these people and their passengers were dead, or better yet, quadriplegics on disability.

If Apple wants to market their phones to morons by basically saying "don't worry, we'll protect you from your own stupidity,"

God grant me the serenity to accept the stupidity we cannot change, the courage to change the stupidity I can, and the wisdom to not consign people who don't meet my standard of intelligence to ruin, misery, and death.

I'm probably dumb to reply to this, because I somewhat suspect you're trolling but...(and to be fair, as the latest Mercedes commercials featuring drivers crediting the car for bailing them out from being idiot drivers demonstrates, it's not just in electronics).

You're right, we'd all be better off if these people and their passengers were dead, or better yet, quadriplegics on disability.

How about we'd be better off if they paid attention to their driving instead of texting or talking or whatever else they

I drive a Volvo S80 with "Collision Avoidance" which is very similar to the Mercedes technology; it uses some kind of radar, coupled with the car computer to figure out if your current speed/acceleration might result in a collision with the object in front of you, using the radar to measure its distance.

If you meet the criteria, it sounds an audible and visual warning and pre-charges the brakes

I thought it was kind of BS, but there have been a couple of incidents where I think it has s

I agree with you. Morons are morons, shadowfaxcrx. But you're talking about someone's loved ones who aren't as smart as we are (possibly including yours). Hearing that your father, mother, brother, sister, son, daughter, grandfather, grandmother, etc are stupid morons who deserve the fates they get is really, really harsh. If you're willing to look your family member/friend in the face and call them a stupid moron for downloading what they thought was a reasonable app (let's just concede that anyone who do

I appreciate what you said, and hope you don't have the impression that I go around seeking out stupidity and yelling "moron!" at those who do something dumb.

I have, however, been known to tell people (yes, including my mother) that something they did was dumb. In fact, I've even told her that it was dumb to download random games off the internet without checking to see if they're legit first. I told her that after wiping and reinstalling Windows for her (again) not because I think she is an idiot, but beca

(and to be fair, as the latest Mercedes commercials featuring drivers crediting the car for bailing them out from being idiot drivers demonstrates, it's not just in electronics).

You're right, we'd all be better off if these people and their passengers were dead, or better yet, quadriplegics on disability.

There's a problem with that. I was reading an article recently -- I think it was in the most recent issue of Motorcyclist magazine -- that claimed that accident and accident fatality statistics don't seem to support the claim that improved technology actually makes the roads any safer. According to the article, safety equipment like seat belts, ABS, traction control, helmets, neck braces and body armor (the last three more for motorcyclists than drivers, obviously) can certainly have a pronounced affect u

I'm really suspicious of the statement that improved crash technology doesn't 'work'. I'm too busy to go look up the US stats but I'm under the impression that auto fatalities ARE dropping. Part seems to be clamping down on drunk driving, part seems to be the newer vehicles. I work as an ER doc and I've seen some really trashed vehicles result in very minor injuries. I know that's anecdotal but I've seen lots of car wrecks over the years.

On a similar note, my last Recbok sneakers broke in half and the Neki sweatshirts were conspicuously tissue-thin. It's a good thing I found Adibass to replace it. Now if I could find a BAFS or DTK tape for my Panascanic personal cassette player...

In case you're wondering, that's "Author too stupid;didn't read"
When I saw that the author apparently didn't know the difference between 'affect' and 'effect' I gave up.
IMNSHO, If you can't get that right, you don't deserve to be read.

The Android Market in general is pretty broken because of the lack of even a rudimentary review process. The other day I was looking at the new releases in the Sports Games category and there were about 5 or 6 pirated ebooks of Harry Potter, the Twilight Series and several others. Needles to say, this is not only illegal, it's in the wrong category.
This has been a problem in the market since its inception and Google still has yet to do anything about it. If they are unwilling to have someone at least look over the titles and categories that an app is placed in before allowing it on the market, in order to cut back on massive copyright and trademark violations and make browsing the store by category possible, why do we think they'll take any preemptive strike against malware?
Google doesn't even give Android developers a convenient way to contact them. It seems to me that they wanted the Android Market to be a set it and forget it kinda thing. Will the negatively publicity form the malware for them to change that stance? I doubt it.

I've noticed that from the beginning. All the apps offering (IP-infringing) ringtones and soundboards, pretty much from day one, never mind pirated ebooks and so on. I think Google's strategy is kind of the Youtube/safe harbour policy: Let people decide what they want to see, take things down on complaints.

I'm not saying this is the smartest idea, because I tend to be quite wary about any app that has permissions I can't immediately determine (why does a calculator need full network access? Okay, perhaps

Mod parent up. Software people need to understand this: users cannot be asked to do "deep reasearch" and "understand permissions", they do not have the time, and they paid good money for their device that should simply work.

And we can say they are "noobs" or "stoopid" all we want, and do not deserve nice things, but the reality is that examining permissions is right now really user-unfriendly, and actually not possible: I can easily make a program that requires map access and being able to send a data messa

Maybe Google could require an ESRB -style disclosure on what permissions are needed for what (I say ESRB because game developers are required to submit a listing of content that may be offensive/suggestive/etc. with their application for a rating), with real penalties for screwing around. The disclosure could go with the app in the market, putting it up front in a more obvious way that, hey, this Angry Birds level

This means that the default should be a closed store. It doesn't mean that the phone should not allow additional channels for application installation - they just shouldn't be easily discovered by casual users (e.g. it can be something like about:config in Firefox).